Tor-using Mevade botnet is stealthy new version of old threat

The Mevade Trojan and botnet have gained unexpected notoriety when it turned out that the majority of the recent, sudden and massive uptick in Tor users was the result of it adding Tor as a method of communication between the bots and the C&C servers.

Fox-IT researchers say that the Mevade botnet is massive and has be around quite some time.

“A recent detection name that has been used in relation to this botnet is ‘Mevade.A’, but older references suggest the name ‘Sefnit’, which dates back to at least 2009 and also included Tor connectivity. We have found various references that the malware is internally known as SBC to its operators,” commented security specialist Yonathan Klijnsma.

Their findings have now also been confirmed by Microsoft researchers, who have decided to use the old name for the threat.

“Win32/Sefnit is a well-known family which includes a component capable of performing click fraud. From our observations in the wild, this particular component disappeared near the end of 2011. In June 2013 we discovered a new click fraud component which we originally classified as Mevade,” they shared.

Sefnit is actually composed of three distinct components (P2P file seeding, Updater and installer, Click fraud), each assigned its own tasks (click on the screenshot to enlarge it):

But how did the malware managed to fly under the radar for a year and a half, not getting detected by AV solutions?

“The old version of Sefnit relied on click hijacking for performing click fraud. When an infected user was browsing the internet and clicked on a search engine result (such as from Google), sometimes the clicks would be hijacked to travel through advertising agencies to a similar webpage as the intended destination,” the researchers explain.

But this was not very stealthy. Even if the AV didn’t detect the malware at first, users would become suspicious of this behavior, begin to suspect their computer had been infected, and submit suspicious malware files to anti-malware researchers and services.

The authors decided change this approach and the malware dropped off the radar. Finally, some three months ago, researchers spotted Sefnit again – and though it was a whole new malware family, which they dubbed Medave.

But, what they ultimately discovered is that the new treat is an old one, equipped with a more low-key click fraud strategy.

“The Sefnit click fraud component is now structured as a proxy service based on the open-source 3proxy project. The botnet of Sefnit-hosted proxies are used to relay HTTP traffic to pretend to click on advertisements,” they explained. “In this way, the new version of Sefnit exhibits no clear visible user symptoms to bring attention to the botnet.”

This new approach – which, among other things, included longer intervals between click fraud incidents – helped the malware go undetected by users, and also allowed the botnet masters to rake in money via affiliate ad programs.

The Sefnit Trojan has been spotted being distributed via different channels: packed within seemingly legitimate programs, it was offered through the eMule peer-to-peer file network.